From 7da289bd941efe3cedb4a428d83fd51f96f57899 Mon Sep 17 00:00:00 2001
From: Evgeny Fadeev <evgeny.fadeev@gmail.com>
Date: Tue, 26 Feb 2013 01:07:34 -0300
Subject: added csrf protection to the widget forms

---
 askbot/templates/embed/delete_widget.html | 2 +-
 askbot/templates/embed/widget_form.html   | 2 +-
 askbot/views/widgets.py                   | 3 +++
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/askbot/templates/embed/delete_widget.html b/askbot/templates/embed/delete_widget.html
index ed80c537..7f4be5a3 100644
--- a/askbot/templates/embed/delete_widget.html
+++ b/askbot/templates/embed/delete_widget.html
@@ -5,7 +5,7 @@
 <h1>Are you sure that you cant to delete this {{widget_name|capitalize}}Widget?</h1>
 <br/>
 <strong>Warning: This could break the widgets on sites that currently use this widget please make sure that you don't use the widget in other sites</strong>
-<form action="." method="POST">
+<form action="." method="POST">{% csrf_token %}
   <p><input type='submit' value='Delete' /> <a href="{% url list_widgets widget_name %}">Go Back</a></p>
 </form>
 {% endblock %}
diff --git a/askbot/templates/embed/widget_form.html b/askbot/templates/embed/widget_form.html
index 65128d8e..ad1562aa 100644
--- a/askbot/templates/embed/widget_form.html
+++ b/askbot/templates/embed/widget_form.html
@@ -6,7 +6,7 @@
 {#% if form.non_field_errors() %}
   {{ form.non_field_errors() }}
 {% endif %#}
-<form method="post">
+<form method="post">{% csrf_token %}
     <table>
         {{ form.as_table() }}
         <tr>
diff --git a/askbot/views/widgets.py b/askbot/views/widgets.py
index f607411d..4d7d02b2 100644
--- a/askbot/views/widgets.py
+++ b/askbot/views/widgets.py
@@ -157,6 +157,7 @@ def list_widgets(request, model):
     return render(request, 'embed/list_widgets.html', data)
 
 @decorators.admins_only
+@csrf.csrf_protect
 def create_widget(request, model):
     form_class = _get_form(model)
     model_class = _get_model(model)
@@ -175,6 +176,7 @@ def create_widget(request, model):
     return render(request, 'embed/widget_form.html', data)
 
 @decorators.admins_only
+@csrf.csrf_protect
 def edit_widget(request, model, widget_id):
     model_class = _get_model(model)
     form_class = _get_form(model)
@@ -214,6 +216,7 @@ def edit_widget(request, model, widget_id):
     return render(request, 'embed/widget_form.html', data)
 
 @decorators.admins_only
+@csrf.csrf_protect
 def delete_widget(request, model, widget_id):
     model_class = _get_model(model)
     widget = get_object_or_404(model_class, pk=widget_id)
-- 
cgit v1.2.3-1-g7c22